IT staff snooping HR and layoff lists, taking data with them

More than a third of system administrators admitted in a recent survey that …

It's no secret that the IT staff can see things like your on-the-job porn surfing habits, your e-mail exchanges, and whatever else you're doing on your PC during work hours. But, according to a new report by Cyber-Ark Software, the IT department may be snooping a little deeper than anyone expects. In a recent survey conducted on network admins and other IT staff, more than a third admitted to snooping into HR records, layoff lists, customer databases, and M&A plans.

The company surveyed more than 400 IT administrators during Infosecurity Europe 2009 and RSA USA 2009, and found that 35 percent of workers openly admitted to accessing the aforementioned company data without authorization. Another 74 percent said that they could easily circumvent the security measures in place to protect that kind of information.

Even more disturbing is the number of sysadmins that said they would take data with them if they were to get laid off or fired. Nearly half said they would take all manner of information with them, including the company's customer database, e-mail server admin information, M&A plans, R&D plans, the CEO's passwords, financial reports, and the privileged password list. These numbers are all up from Cyber-Ark's 2008 survey, which indicated that only 35 percent would take the customer database, 31 percent would take the privileged password list, and a mere 7 percent would take the company's M&A plans. The rest of the numbers hovered between 11 and 13 percent.

"As the economic climate has worsened, the survey found a sharp increase in the number of respondents who say they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security," wrote Cyber-Ark. The firm pointed out that one in five companies said that they had been subject to insider sabotage or IT security fraud, and that 36 percent suspected that their competitors had received their company's sensitive data or IP.

Cyber-Ark points out the obvious with this revelation. "Unauthorized access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information," Cyber-Ark CEO Udi Mokady said. "Businesses must wake up and realize that trust is not a security policy; they have an organizational responsibility to lock down sensitive data and systems, while monitoring all activity even when legitimate access is granted."

The data seems to confirm previous findings that insiders are responsible for more computer security problems than other elements like viruses and malware. The Computer Security Institute issued a report in 2007 saying that financial fraud and viruses had fallen in recent years, but that internal users (whether intentional or not) were causing the greatest number of problems. Verizon's Business RISK Team also said earlier this year that the median number of breaches caused by insiders in 2008 was the highest out of any category, though the predominance of total records lost was still attributed to outsiders.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui